Evernote resets user passwords after being hit by “coordinated” hack

Breach exposes cryptographically hashed and salted passwords.

Evernote is requiring each of its 50 million users to reset their login credentials after the site's security team detected a security breach that exposed password data and other personal information.

In a security notice published Saturday, Evernote said the precautionary password reset came after an investigation found no evidence of any stored content being accessed, changed, or lost. The advisory also stated that payment information wasn't accessed. However, Evernote warned that user information—including usernames, cryptographically protected passwords, and e-mail addresses—were accessed. "Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption," the statement noted. "(In technical terms, they are hashed and salted.)"

Evernote's decision to cryptographically hash and salt this information is important in the wake of this digital break-in, because the technique makes the information slightly more time-consuming to crack. That can buy a security team time in the hours or days following the discovery of a breach. (For a more detailed explanation of the techniques, see Ars Security Editor Dan Goodin's feature "Why passwords have never been weaker—and crackers never been stronger.") Despite the precaution, Evernote's decision to reset all the passwords remains a necessary precaution.

Users can reset their Evernote account passwords by signing in then following the automated prompt. The site will also be releasing updates to several of their apps to help ease this password change process. As a final friendly reminder, Evernote re-emphasized a few common best practices for users when it comes to their future passwords:

Avoid using simple passwords based on dictionary words

Never use the same password on multiple sites or services

Never click on ‘reset password’ requests in e-mails—instead go directly to the service